Header graphic for print

Government Contractor Compliance & Regulatory Update

U.S. House Committee on Appropriations Votes to Defund Revised Form EEO-1 Requiring Disclosure of Pay Data

Posted in Compensation, Discrimination, EEOC, Federal Contractors

On July 13, 2017, the House Committee on Appropriations voted to defund efforts to implement the Equal Employment Opportunity Commission’s (“EEOC”) revised Form EEO-1.  If the Appropriations Bill is ultimately passed, it will severely limit the EEOC’s ability to implement its revised EEO-1.

This development is particularly important for government contractors.  Government contractors have a lower threshold for EEO-1 compliance than traditional employers (government contractors with 50 or more employees must file an EEO-1, while traditional employers need only file an EEO-1 if they have 100 or more employees).  Thus, the revised EEO-1 is bound to disproportionately impact the government contractor community.  Moreover, government contractors have faced increased scrutiny in recent years from the OFCCP concerning compensation discrimination – particularly those contractors in the service industry and technology industry.  As such, avoiding another level of compensation disclosures through the revised EEO-1 – which OFCCP had planned to use to identify targets for audit – is highly beneficial to government contractors.

For more comprehensive coverage of this issues, please review our post on Law and the Workplace, available here.

Google Prevails, In Part (And For Now), In Compensation Data Dispute With OFCCP

Posted in Discrimination, OFCCP

On July 14, 2017, an Administrative Law Judge (“ALJ”) for the Department of Labor issued a Recommended Decision and Order (the “Opinion”) in the case brought by the Office of Federal Contractor Compliance Programs (“OFCCP”) against Google over Google’s refusal to turn over certain employee data as part of a compliance audit.  The ALJ’s thorough opinion is informative, providing insights into OFCCP’s processes in compliance audits, basic canons of administrative and constitutional law, as well as the administrative proceedings that have garnered so much of the government contractor community’s attention.

Many of the commentators initially declared the decision a big “win” for Google and the government contractor community generally.  Although Google succeeded in part in its efforts to resist OFCCP’s invasive and burdensome data demands, its success in the proceeding was limited.  In the end, Google avoided only one (albeit a significant one) of OFCCP’s data requests.  Moreover, the Opinion does not preclude OFCCP from seeking that information again in the future.  Further, the record reflects that prior to these proceedings, Google produced significant quantities of data and documents to OFCCP at considerable cost and burden – by Google’s estimates the collection process cost $500,000 and took 2,300 person hours.  Although Google obtained some favorable rulings that contractors can use in their dealings with OFCCP, it is unclear whether this ruling will permit contractors to obtain significant relief from OFCCP’s demands in the future.

Background Of The Case

The case arose out of a traditional compliance evaluation of Google’s headquarters which commenced in 2015.  In response to its initial scheduling letter, OFCCP received from Google a snapshot of compensation data for over 21,000 employees, including data such as “gender, ‘race/ethnicity,’ hire date, job title, EEO-1 category (such as clerical or executive), job group, base salary or wage rate, hours worked in a typical workweek, and other compensation or adjustments to salary (bonuses, incentives, commissions, merit increases, locality pay, and overtime).”  After several follow up requests for information and data, the evaluation morphed into an onsite review that included interviews of more than 20 managers.

Following the interviews, OFCCP requested additional information, including the following categories of information for each of the employees in the establishment:

name, date of birth, bonus earned, bonus period covered, campus hire or industry hire …, whether the employee had a competing offer, current “CompaRatio,” current job code, current job family, current level, current manager, current organization, department hired into, education, equity adjustment, hiring manager, job history, locality, long-term incentive eligibility and grants, market reference point, market target, performance rating for past 3 years, prior experience, prior salary, referral bonus, salary history, short-term incentive eligibility and grants, starting CompaRatio, starting job code, starting job family, starting level, starting organization, starting position/title, starting salary, stock monetary value at award date, target bonus, and total cash compensation, and ‘any other factors related to Compensation.’

Google produced most of this information to OFCCP.  Then, OFCCP requested that Google again supplement its snapshot data to include the following additional categories of information:  “the employees’ ID, country of citizenship, secondary country of citizenship, visa (yes/no), visa type, and place of birth.”  Google produced this data as well.  All in, Google produced “844,560 compensation data points for the 21,114 employees on the snapshot.”  However, Google refused to comply with a number of the additional requests of OFCCP, including:

  1. “A “snapshot” as of September 1, 2014 – a year earlier than the first snapshot.”
  2. “A salary history (a list of starting salary and each salary change) and job history (a list of starting job and each change in job) for each person whom Google employed at its headquarters on either of the two snapshot dates. The histories must cover the entire time Google employed each person, going back for its longest-term employees to the founding of the corporation in 1998.”
  3. “The name, address, telephone number, and personal email of every employee reflected on either the 2014 snapshot or the 2015 snapshot.”

After Google refused to produce the requested information, OFCCP filed a complaint against Google to compel production.

The ALJ’s Rulings

After a hearing on the matter, the ALJ found that OFCCP’s request for an additional data snapshot from September 1, 2014 was reasonable.  OFCCP argued that “an additional snapshot is relevant because it will show whether the same indications of a possible adverse impact violation existed over time, not just on the single day reflected on the September 1, 2015 snapshot.”  After a detailed analysis, the ALJ found that OFCCP had provided sufficient evidence “to meet the deferential standard that applies in the narrow Fourth Amendment review appropriate to administrative subpoenas.”

In ruling that Google needed to provide the additional snapshot data, the ALJ found “no reason to question the relevance of most of the data categories that OFCCP requests Google include on the snapshot.”  He did, however, modify the required data fields slightly to exclude:  “place of birth, citizenship, and visa status,” “any other factors related to compensation” (because “OFCCP ha[d] withdrawn [its] request” for this information), “date of birth” and “locality information.”  The ALJ found these categories either irrelevant or unduly burdensome for Google.

With respect to the request for contact information for all employees at Google headquarters, the ALJ ruled that this request, as written, was unreasonable.  The ALJ seemed most concerned about the “extent to which the employee contact information, once at OFCCP, will be secure from hacking, OFCCP employee misuse, and similar potential intrusions or disclosures.”  He also raised questions about employee due process, as their information was being provided to the government without their knowledge and without their ability to opt out.  Based on these concerns, the ALJ ruled that after conducting more due diligence as to Google’s compensation procedures, OFCCP can request a list of 5,000 employee names and Google will provide the contact information for those employees.  This will allow OFCCP to determine which 100-300 employees it wishes to interview, without Google knowing the identities of these employees.  The ALJ also ruled that, if needed, OFCCP may request contact information for an additional 3,000 employees following the interviews of its first group of employees.

Finally, the ALJ denied “without prejudice” OFCCP’s request for historical compensation information going back to each employee’s hire date.  The ALJ reasoned that OFCCP had not sufficiently supported its need for the information to conduct its investigation.  He found that although OFCCP had identified disparities in Google’s compensation and had developed a theory as to the cause of those disparities, it had failed to take steps to investigate Google’s compensation practices to test its theory before demanding voluminous and burdensome compensation data.

For example, OFCCP supported its request by theorizing that Google’s alleged compensation disparities are the result of women being less effective negotiators than men at the time of hire.  However, the hearing record showed that Google generally does not negotiate compensation at the time of hire or promotion.  As such, OFCCP had failed to test its theory against Google’s actual practices before making its burdensome request.  Moreover, the support OFCCP offered for this theory – two media articles – were stricken from the record by the ALJ.

Even so, the ALJ invited OFCCP to request this information in the future “if it can show that the request is reasonable, within its authority, relevant to the investigation, focused, and not unduly burdensome.”  However, the ALJ ordered OFCCP to “offer to engage with Google in meaningful, good faith conciliation to resolve any dispute, including by showing why the information sought is reasonable, relevant, focused, and not unduly burdensome” prior to engaging in any further litigation.

Key Take Aways

Putting aside the specifics of the ALJ’s rulings, his thoughtful Opinion provides contractors with helpful guidance to use when under audit by OFCCP.

  • Signing a Government Contract Does Not Waive Contractors’ Fourth Amendment Rights. The ALJ forcefully rejected OFCCP’s argument that by signing a government contract with a provision permitting the government to access its records, Google had waived its Fourth Amendment rights in their entirety – deeming OFCCP’s position to be “without merit.”  As such, contractors can point to the Opinion if faced with overzealous compliance officers claiming they have an unfettered right to access contractor files.  Rather, such requests must be reasonable, relevant and material to the investigation and may not be too indefinite or broad.  To this end, the ALJ deemed requests for information concerning employees’ place of birth, citizenship or visa status irrelevant to matters within OFCCP’s authority.
  • OFCCP Must Be More Transparent. The ALJ emphasized that when Google first resisted OFCCP’s third effort to obtain these data, it demanded to know the issues OFCCP was investigating and “in what part of Google’s operations those issues arose.”  At that point, Google had provided extensive compensation data, and OFCCP had provided “no information about the issues it was finding, which prevented Google from evaluating whether OFCCP’s additional requests were relevant to the investigation.”  OFCCP refused to explain to Google its findings or its justification for its broad request.  Instead, it ordered Google to show cause why OFCCP should not bring an enforcement action.  “Google responded with an offer to continue producing certain information and discuss[] the parties’ disagreement,” and noted that OFCCP’s refusal to provide any explanation of the relevance of the information sought contravened its own regulations.  In response, OFCCP filed its administrative action against Google.  It was only during the administrative hearing that Google learned for the first time that OFCCP was investigating potential “systemic compensation disparities against women.”

Google’s experience unfortunately is not unusual.  Contractors participating in a compliance audit often are frustrated by OFCCP’s refusal to explain why its data requests are relevant to or to share even the most basic information about its investigations.  Contractors are often left with a difficult choice:  comply with what appear to be unreasonable and/or unfounded requests or challenge OFCCP and risk litigation.[1]  The Opinion makes clear that if OFCCP had provided information about its findings in its investigation, litigation could have been avoided.  Google had been very cooperative earlier in the investigation, and may have continued to provide information if OFCCP had provided the information necessary to assess the reasonableness of OFCCP’s requests.  In addition, the dialogue that may have ensued may have caused OFCCP to reconsider the scope of its requests.

With the Opinion, contractors now have a helpful resource upon which to rely when facing what appear to be unreasonable requests for information and compliance officers unwilling to provide information justifying the requests.

  • OFCCP Must Identify The Cause For Disparities That Exist And Must Tether Its Requests To That Cause. The ALJ noted that in requesting additional compensation information during its compliance evaluation, “OFCCP is on a search for the cause of a disparity it has found on a preliminary basis.”  The ALJ pointed to Directive 307 – “Procedures for Reviewing Contractor Compensation Systems and Practices” – as the standard OFCCP must follow to identify the cause of any pay disparities.  The ALJ found that “OFCCP should engage in an iterative process, asking Google for information, interviewing Google’s officials and managers, reviewing the documentary materials and data Google has produced, considering information gathered from the EEOC and the California Department of Fair Employment and Housing, and reviewing information from any other source it has.”  Following this, OFCCP “should consider Google’s statements of its policies and practices …,” “determine whether Google’s representations are consistent with the data and other information obtained,” and “then adjust its models and request further information consistent with observable indicators in the information it has.”

The ALJ found that, absent this process, “OFCCP’s requests for information are untethered to any factual basis and are no more than speculation.”  It is on this basis that the ALJ found OFCCP’s request for historical compensation data to be unreasonable.  The ALJ found that “OFCCP has not taken sufficient steps to learn how Google’s system works, identify actual policies and practices that might cause the disparity, and then craft focused requests for information that bears on these identified potential causes,” resulting in the requests being “unreasonable: unfocused, irrelevant, and unduly burdensome.”

Based on this analysis, when faced with additional compensation data requests by OFCCP, contractors should press the agency to identify and justify the specific practice it believes caused the disparity.  This will allow contractors to engage in a dialogue with OFCCP regarding this claimed practice and to determine whether OFCCP has undertaken all of the steps specified in Directive 307 before it demands the production of additional data supporting its claim.  Contractors should point to this decision as support for the notion that contractors need not merely acquiesce to unreasonable demands from OFCCP until it undertakes the steps specified in the Directive and then provides additional information to support the justification for its requests.

[1] Proskauer’s approach to representing clients in OFCCP’s audits aims to avoid such circumstances by developing a good rapport with OFCCP compliance officers so when disputes arise they can usually be negotiated to a mutually-satisfactory resolution.

Contractors with Access to Classified Information Now Subject to Heightened Reporting Requirements

Posted in Federal Contractors

Effective June 12, 2017, executive branch agency employees, contractors and subcontractors who have access to classified information or hold sensitive positions must report personal trips abroad as well as a wide range of foreign contacts. This new security directive, “Reporting Requirements for Personnel With Access to Classified Information or Who Hold a Sensitive Position,” was issued by the Office of the Director of National Intelligence and establishes fundamental reporting requirements while still allowing agency heads to impose additional reporting requirements in accordance with their respective authorities.

Specifically, under the directive, contractors who hold sensitive positions or have access to classified information must report all unofficial foreign travel and substantive foreign contacts to their agency head or designee. Contractors must receive approval prior to their foreign travel, with some exceptions, including:

  • Travel to Puerto Rico, Guam or other U.S. possessions and territories is not considered foreign travel and need not be reported; and
  • Unplanned day trips to Canada or Mexico must only be reported upon return, and such reporting must be within five business days.

Contractors with access to classified information must also report “unofficial contact with a known or suspected foreign intelligence entity” and any “[c]ontinuing association with known foreign nationals that involve bonds of affection, personal obligation, or intimate contact.” Contact with a foreign national that “involves the exchange of personal information” must also be reported.

In addition, the directive requires that contractors with access to secret and confidential information and/or top secret information report certain activities, such as:

  • Application for and receipt of foreign citizenship;
  • Application for, possession or use of a foreign passport or identity card for travel;
  • Attempted elicitation, exploitation, blackmail, coercion or enticement to obtain classified information; and
  • Media requests for classified information.

Finally, under the directive, contractors must alert agency heads of their coworkers’ actions in certain situations that touch security or counterintelligence concerns, including when a colleague:

  • Is unwilling to comply with agency rules;
  • Has unexplained affluence or excessive indebtedness;
  • Has apparent or suspected mental health issues that may impact the individual’s ability to protect classified information; or
  • Misuses government property or information systems.

These reporting requirements were approved in December as part of the Insider Threat Program initiated by then-President Barack Obama after several high-profile leaks of classified information.

Labor Secretary Defends OFCCP-EEOC Merger

Posted in OFCCP

As previously reported, the Trump Administration’s proposed budget for fiscal year 2018 includes a plan to merge the Office of Federal Contract Compliance Programs (“OFCCP”) into the Equal Employment Opportunity Commission (“EEOC”). Pragmatically, this would add the OFCCP’s broad responsibilities to an already overburdened EEOC, without providing the EEOC any additional funding to accomplish its newly added workload.

On June 7, 2017, Labor Secretary Alexander Acosta testified at a House Appropriations subcommittee hearing in support of the proposal. The Labor Secretary touted the merger as a “commonsense change” that “combines two civil rights agencies that already work together closely.”  The merger, according to Secretary Acosta would achieve a cost saving without reducing enforcement.

President Trump’s proposal appears to stem from a long standing recommendation by the Heritage Foundation, a conservative think tank in Washington, to eliminate the OFCCP on the ground that its function has become redundant. The proposal is also defended as part of President Trump’s goal – made explicit in the Executive Order issued on March 13, 2017 – to improve the efficiency of the executive branch by eliminating unnecessary agencies and components of agencies, and merging agency functions as necessary.

However, for the moment, the proposal appears unlikely to gain traction. As pointed out at today’s hearing by Rep. Barbara Lee (D-Calif), the NAACP and the US Chamber of Commerce – two entities that rarely agree with each other – both oppose the proposal. Indeed, seventy three civil rights groups, including the NAACP, sent a letter to Congress and to Secretary Acosta condemning the measure. And, as Secretary Acosta recognized at today’s hearing, any merger would require separate legislation to streamline the different functions of the two agencies.

We will continue to monitor developments on this issue.

Trump Administration’s Budget Proposes Major Changes For OFCCP

Posted in Department of Labor, OFCCP

On May 23, 2017, the Trump Administration released its proposed fiscal year 2018 budget. Not surprisingly, the budget proposes significant changes for the Office of Federal Contract Compliance Programs (“OFCCP”).  In the Department of Labor’s budget proposal, the Administration has laid the groundwork to merge the OFCCP into the Equal Employment Opportunity Commission (“EEOC”) by the end of fiscal year 2018.  The merger is touted as intended to promote “greater policy coordination, management efficiency, and cost-effectiveness.”  According to the Administration, maintaining OFCCP as a separate agency “does not take full advantage of the opportunities to improve employment civil rights protection.”  It is worth noting that although the merger is the focal point of the OFCCP budget proposal, it appears to have little support outside of the Administration. Indeed, opposition to the proposal is shared by both business groups and workers’ rights advocates.

In addition, the proposed budget:

  • Allocates $88 million to the OFCCP, a decrease of nearly $17.3 million (or 16.4%) from fiscal year 2017; and
  • Cuts the OFCCP’s headcount from 571 full-time equivalents (“FTEs”) to 440 FTEs, a reduction of 131 FTEs (nearly 23%) from fiscal year 2017.

The proposed budget identifies priorities for the OFCCP in fiscal year 2018, which include the EEOC-OFCCP merger and “combating pay discrimination through intensive contractor compliance assistance aimed at educating contractors about their contractual obligations, supporting their voluntary compliance with those obligations, and conducting high quality compliance evaluations.”

The budget document also announces that the OFCCP will establish its two “Skilled Regional Centers.” These centers, to be located in San Francisco and New York, “would have highly skilled and specialized compliance officers capable of handling various large, complex compliance evaluations in specific industries, such as financial services or information technology.”  These centers appear to be part of a plan to reduce the number of field area and district offices.

Of course, the President’s proposed budget is just a proposal for Congress to consider as it prepares its appropriation bills. We will continue to monitor and report significant developments in the budget process.

OFCCP Announces New Veteran Hiring Benchmark

Posted in OFCCP

The OFCCP has announced its 2017 Vietnam Era Veterans’ Readjustment Assistance Act (VEVRAA) Benchmark. The new benchmark is 6.7%, slightly lower than the previous year’s 6.9% benchmark.

The VEVRAA Benchmark is the figure which federal contractors must use to assess the effectiveness of their outreach programs for the hiring of veterans. Contractors may either use the OFCCP’s national benchmark, or establish their own benchmark using applicable statistics and other metrics set forth in OFCCP’s regulations (41 CFR §60-300.45(b)(2)).

BREAKING: Blacklisting Rule Is Officially and Completely Dead

Posted in Federal Acquisitions, Federal Contractors

Yesterday (March 27, 2017), President Trump signed into law a Congressional Joint Resolution of Disapproval (the “Resolution”), revoking the rules implementing the controversial Fair Pay and Safe Workplaces Executive Order, better known as the Blacklisting Rule.  The same day, President Trump issued a new Executive Order – The “Presidential Executive Order on the Revocation of Federal Contracting Executive Orders” – officially revoking the Fair Pay and Safe Workplaces Executive Order.

As federal contractors are well-aware, the Blacklisting Rule required federal contractors to disclose various “violations” of labor laws to the federal government, imposed new paycheck transparency obligations, created new employee arbitration restrictions, and imposed new independent contractor notification requirements.  Most of these requirements had been enjoined by a federal judge in October 2016, but some of the provisions – specifically, the paycheck transparency and independent contractor notification provisions – remained untouched by the ruling and went into effect January 1, 2017.

To revoke the Blacklisting Rule, Congress utilized the little-used Congressional Review Act (the “CRA”), which allows Congress to review new federal regulations and overrule them by passing a joint resolution within a certain period of time after the regulation is transmitted to Congress.  The CRA had only been used once before to successfully revoke a regulation.  The Resolution passed in the House of Representatives on a 236-187 vote on February 2, 2017.  On March 6, 2017, the Senate passed the Resolution by a narrow 49-48 margin.

With President Trump’s signature and implementation of his own Executive Order, the Rule has met its complete demise.

Renewed OFCCP Voluntary Self-Identification of Disability Form Now Available

Posted in Federal Contractors, OFCCP

Earlier today, the Office of Federal Contract Compliance Programs (OFCCP) announced that the Office of Management and Budget renewed the voluntary self-identification form for individuals with disabilities for an additional three years. This renewed Voluntary Self-Identification of Disability form is exactly the same as the prior form, except that it has a new expiration date of January 31, 2020.  Even so, federal contractors should start using this renewed form immediately.

The Voluntary Self-Identification of Disability form invites job applicants and employees voluntarily to self-identify as being an individual with a disability. The information collected on the self-identification form should be used by covered federal government contractors in determining that they have satisfied the utilization goal established by OFCCP and in conducting data analytics in connection with their affirmative action plans.

Trump Administration Will Retain LGBT Protections for Government Contractor Employees

Posted in Discrimination, OFCCP

Although the first eleven days of the Trump Administration have been full of activity and controversy, federal government contractors have been waiting to see if President Trump will undo or modify the compliance obligations imposed on them through the numerous Executive Orders issued by President Obama.

This morning (January 31, 2017) the White House announced plans with respect to one of those Executive Orders: Executive Order 11478 (the “Order”), which added sexual orientation and gender identity to the classes protected by Executive Order 11246.  According to the statement, the Order “will remain intact at the direction of President Trump.”  The announcement came the day after the press reported that the Trump Administration was contemplating overturning the Order or adding religious-freedom provisions.  The statement made today is silent on the latter point.

You can find our prior blog posts about the Order and its implementing regulations here and here .

The Department Of Homeland Security Proposes New Rules Affecting Federal Government Contractors

Posted in Employment Law

This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by various federal agencies to strengthen safeguarding requirements for sensitive government information.  Given the increasing emphasis on data security and privacy, contractors and subcontractors are well advised to familiarize themselves with these new requirements and undertake a careful review of their current data security and privacy procedures to ensure they comply.

  • Privacy Training

DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information and/or Sensitive Personally Identifiable Information; or designing, developing, maintaining, or operating a Government system of records. DHS proposes including this training requirement in the Homeland Security Acquisition Regulation (“HSAR”) and to make the training more easily accessible by hosting it on a public website.  By including the rule in the HSAR, DHS would standardize the obligation across all DHS contracts.  The new rule would require the training to be completed within thirty days of the award of a contract and on an annual basis thereafter.

DHS invites comment on the proposed rule. In particular, DHS asks commenters to offer their views on the burden, if any associated with the requirement to complete DHS-developed privacy training.  DHS also asks whether the industry should be given the flexibility to develop its own privacy training.  Comments must be submitted on or before March 20, 2017.

  • Information Technology Security Awareness Training

DHS currently requires contractor and subcontractor employees to complete information technology security awareness training before accessing DHS information systems and information resources. DHS proposes to amend the HSAR to require IT security awareness training for all contractor and subcontractor employees who will access (1) DHS information systems and information resources or (2) contractor owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (“CUI”) (defined below).  DHS will require employees to undergo training and to sign DHS’s Rules of Behavior (“RoB”) before they are granted access to those systems and resources.  DHS also proposes to make this training and the RoB more easily accessible by hosting them on a public website.  Thereafter, annual training will be required.  In addition, contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.

Through this proposed rule, DHS intends to require contractors to identify employees who will require access, to ensure that those employees complete training before they are granted access and annually thereafter, to provide to the government and maintain evidence that training has been conducted. Comments on the proposed rule are due on or before March 20, 2017.

  • Safeguarding of Controlled Unclassified Information

DHS’s third proposed rule will implement new security and privacy measures, including handling and incident reporting requirements, in order to better safeguard CUI. According to DHS, “[r]ecent high-profile breaches of Federal information further demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.”  Accordingly, the proposed rule – which addresses specific safeguarding requirements outlined in an Office of Management and Budget document outlining policy on managing government data – is intended to “strengthen[] and expand[]” upon existing HSAR language.

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.” The new safeguarding requirements, which apply to both contractors and subcontractors, include mandatory contract clauses; collection, processing, storage, and transmittal guidelines (which incorporate by reference any existing DHS policies and procedures); incident reporting timelines; and inspection provisions. Comments on the proposed rule are due on or before March 20, 2017.

  • Other Recent Efforts To Safeguard Contract Information

DHS’s new rules follow a number of other recent efforts by the federal government to better control CUI and other sensitive government information.

Last fall, for example, the National Archives and Record Administration (“NARA”) issued a final rule standardizing marking and handling requirements for CUI. The final rule, which went into effect on November 14, 2016, clarifies and standardizes the treatment of CUI across the federal government.

NARA’s final rule defines “CUI” as an intermediate level of protected information between classified information and uncontrolled information.  As defined, it includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings.  The final rule also makes an important distinction between two types of systems that process, store or transmit CUI:  (1) information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”; and (2) other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI.

Although the final rule directly applies only to federal agencies, it directs agencies to include CUI protection requirements in all federal agreements (including contracts, grants and licenses) that may involve such information.  As a result, its requirements indirectly extend to government contractors.  At the same time, however, it is likely that some government contractor systems will fall into the second category of systems and will not have to abide by the final rule’s restrictions.  A pending FAR case and anticipated forthcoming FAR regulation will further implement this directive for federal contractors.

Similarly, last year the Department of Defense (“DOD”), General Services Administration, and the National Aeronautics and Space Administration issued a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”  The provision adds a number of new information security controls with which contractors must comply.

DOD’s final rule imposes a set of fifteen “basic” security controls for covered “contractor information systems” upon which “Federal contract information” transits or resides.  The new controls include: (1) limiting access to the information to authorized users; (2) limiting information system access to the types of transactions and functions that authorized users are permitted to execute; (3) verifying controls on connections to external information systems; (4) imposing controls on information that is posted or processed on publicly accessible information systems; (5) identifying information system users and processes acting on behalf of users or devices; (6) authenticating or verifying the identities of users, processes, and devices before allowing access to an information system; (7) sanitizing or destroying information system media containing Federal contract information before disposal, release, or reuse; (8) limiting physical access to information systems, equipment, and operating environments to authorized individuals; (9) escorting visitors and monitoring visitor activity, maintaining audit logs of physical access, and controlling and managing physical access devices; (10) monitoring, controlling, and protecting organizational communications at external boundaries and key internal boundaries of information systems; (11) implementing sub networks for publically accessible system components that are physically or logically separated from internal networks; (12) identifying, reporting, and correcting information and information system flaws in a timely manner; (13) providing protection from malicious code at appropriate locations within organizational information systems; (14) updating malicious code protection mechanisms when new releases are available; and (15) performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

“Federal contract information” is broadly defined to include any information provided by or generated for the federal government under a government contract.  It does not, however, include either:  (1) information provided by the Government to the public, such as on a website; or (2) simple transactional information, such as that needed to process payments.  A “covered contractor information system” is defined as one that is:  (1) owned or operated by a contractor; and (2) “possesses, stores, or transmits” Federal contract information.